Detection and Containment Flashcards
The OODA Loop is a decision-making model created to help responders think
clearly during the “fog of war”
OODA Loop
OODA Loop
Observe
Orient
Decide
Act
Observe
Observe
Involves reflecting on what has been found during observations and considering
what should be done next
Orient
Makes suggestions towards an action or response plan while taking into
consideration all of the potential outcomes
Decide
Carry out the decision and related changes that need to be made in response to
the decision
Act
Defensive Capabilities
Detect
Destroy
Degrade
Disrupt
Deny
Deceive
Identify the presence of an adversary and the resources at their
disposal
Detect
Render an adversary’s resources permanently useless or ineffective
Destroy
Reduce an adversary’s capabilities or functionality, perhaps temporarily
Degrade
Interrupt an adversary’s communications or frustrate or confuse their
efforts
Disrupt
Prevent an adversary from learning about your capabilities or accessing
your information assets
Deny
Supply false information to distort the adversary’s understanding and
awareness
Deceive
Determine if an incident has taken place, triage it, and notify relevant
stakeholders
Detection and Analysis
Triage and categorization are done based on an impact-based or taxonomy-based
approach
Impact-based Approach
Taxonomy-based Approach
A categorization approach that focuses on the severity of an incident,
such as emergency, significant, moderate, or low
Impact-based Approach
An approach that defines incident categories at the top level, such as
worm outbreak, phishing attempt, DDoS, external host/account
compromise, or internal privilege abuse
Taxonomy-based Approach
An incident that affects mission essential functions and therefore the organization
cannot operate as intended
Organizational Impact
An incident that is limited in scope to a single department, small user group, or a
few systems
Localized Impact
An incident measurement based on the direct costs incurred because of an
incident, such as downtime, asset damage, penalties, and fees
Immediate Impact
An incident measurement based on the costs that arise both during and following
the incident, including damage to the company’s reputation
Total Impact
Any incident where data is modified or loses integrity
Data Integrity
Incidents that disrupt or threaten a mission essential business function
System Process Criticality
An incident that degrades or interrupts the availability of an asset, system, or
business process
Downtime
An incident that creates short-term or long-term costs
Economic
An incident that is linked to the TTP of known adversary groups with extensive
capabilities
Data Correlation
An incident which the capabilities of the malware are discovered to be linked to
an adversary group
Reverse Engineering
An incident which requires extensive recovery time due to its scope or severity
Recovery Time
An incident which was not discovered quickly
Detection Time
Rapid containment is important to an incident response
Limit the scope and magnitude of the incident by securing data and limiting
impact to business operations and your customers
Containment
A mitigation strategy that involves removing an affected component from
whatever larger environment it is a part of
Isolation
A mitigation strategy that achieves the isolation of a host or group of hosts using
network technologies and architecture
Segmentation
